About mlinsemier

    I guess I am confused.   My rule above, with decryption disabled, functions perfectly.  No traffic is dropped, all websites are working, etc.  This to me proves that the App-ID is properly identifying the traffic and that the traffic on application-default ports are fine.   As decryption is global, and is not applied to a specific security rule, how does the rule above suddenly stop working when encryption is enabled?  I dont see why I would have to add addtional rules with addtional service ports when the existing rules are already working.   Again, this seems pretty cut and dry to me that decryption is not working as intended.  I've had similar issues in 7.0.1 etc that acted the same way, all of them were resolved in 7.0.4+ and were decryption engine bugs.   Perhaps you could give me an example of how I would configure it differently in 7.1 vs 7.0.6. ... View more

by mlinsemier a moment ago Options   I read this, but I don't see, in this case, how it is applicable.   I have a global rule it looks like this:   Rule: Allow Inside --> Outside : Application:any Service: application-default   This means that ssl traffic (https) generated from the inside network to the outside network is only allowed over of the application-default port of ssl, which is 443.  I dont see why I would need to adjust this rule as the internet sites are not using non standard web-browsing and SSL ports.   Additionally, if i disable encryption, the rule above works without issue.  It's specifically decryption related and there is no way to select application when configuring an SSL Forwarder.     -Matt ... View more

Sounds to be almost exactly like our issue.  Are you runniing 6.1.x?  Sounds like it may be behind a port channel as well where sometimes packets may look asymetrical to the Palo Alto, but in reality its just the Cisco hash algorithm balancing traffic.   You could open at ticket with Palo Alto on this and reference case: 00431191   I would be interested to hear if this may speed our resolution of this bug as I finally got the debugs to them at the beginning of the week. ... View more

Are you running in VWire or Layer 3 mode?  We have been facing an issue for some time with our 50xx series firewalls in Active/Active HA mode, but we are running in VWire mode thats sitting on a Layer 2 port channel.     Through a few debug sessions with Palo Alto we have discovered the following:   1) Sometimes sessions aren't being replicated to the other Palo Alto HA pair and when a packet arrives on that firewall, its dropped. 2) Sometimes sessions would not be created at all for small, chatty traffic.   At this time we still do not have Active / Active working.   One thing that we did change that helped (but didnt fix) was change the session and session create owner to "first packet".   Matt ... View more

I had a chance to play with it in beta, but not quite as much as I would have liked too.   I installed it on a lab PA-200 yesterday from a perfectly working version of 7.0.6.   I am having some decrypt issues with websites again.  Sites such as Google Earth, Bing maps, banking websites, etc. are spinning and spinning in Chrome, IE, and Edge eventually come up, but continue to spin.  Search boxes where you would expect to see auto-populated data (say Bing maps) don't work.  Disabling the decrypt SSL rul instantly resolves the issue.   I'll probably open a ticket with Palo Alto again for investigation.  It always seems to boil down to features that I feel we need the most as engineers not working correctly.   Matt ... View more

Are you sure that your clients are configured for PCoIP?  Make sure you check the Horizon Client and make sure PCoIP is checked in the options.   If you are using a security server (such as for public facing clients), SSL will be used for the connection protocol and to encapsulate RDP (TCP) traffic.  PCoIP, from what I've experienced, is a completely different stream UDP stream that will be need to be allowed.   That being said, I didn't set up our View environment, so i can't speak to if its set up in accordance to best practices or not ... View more

The policy will only give you the shadow warning if they are exactly the same (apps, source/destination, etc.)     You do have to be smart though, if you had two apps that both required SSH and App X, and you didn't want to enable SSH for either, if you have two deny SSH rules (to block this part of the app), they have to be unique or put together in the same rule.   -Matt ... View more

This is extremely odd as we have tested this exact configuration without the issues you are having. A few questions:   1)  What version of PAN-OS are you running? 2)  Are there any NAT translations for the Exchange server configured in the ASA? 3)  Do you have any NAT rules for the Exchange server on the Palo Alto (asuming no as it's in VWire mode) 4)  Do you have any security policies configured on the Palo Alto   I have seen some issues with 7.0.2 and 7.0.3 where if you have configured multiple Palo Alto virtual routers on the same vsys with ports connected to the same network (say Internet) advertise MAC addresses on the wrong interface (NAT), but this is all layer 3.  I have never seen something like this in VWire.   I would check your STP, make sure that your Core is setup as the root bridge, validate your VTP (if you use it), and check layer 2.  I would also make sure your in VWire mode and not Layer 2 mode on the Palo Alto.  As a test I would also allow all VLANS (0-4096) on the VWire.   -Matt ... View more

6.1.8 has been stable for us with no perceived issues.  We have been running it since release date. We rolled back to this version from 7.0.3 after dataplane and decryption issues.   We also have a few firewalls running 7.0.4 without issue, but these are mostly PA-200's with not that much traffic going through them.  However, that being said they seem to be running with no issues (comparied to 7.0.1 to 7.0.3).  We will be testing firewalls with heavier loads the first part of 2016 along with HA configurations.   I will keep everyone updated as we move forward.   -Matt ... View more

We run VMWare View (now Horizon) in our environment.  Our experience is that the built in vmware-view application did not work for us.  It seems to expect that all the services will run on one server, which is a little bit unrealistic.  I think Palo Alto should have split them down into their individual applications within View rather than trying to bundle them.  For instance, you may not want to allow RDP for instance, or USB redirection, but by default they are included.  When you start looking to block these it can get tricky and downright just not work because of “rules validation”.   In our case we have separate view hosting and security servers.  For us to get it to work correctly we had to configure custom applications, application overrides, and a few rules for view.  Note that View was the only application that we had to do this for.   Custom Apps:     Application Override     Rules     Remember that PCoIP streams on UDP/4172.  The TCP/4172 side of PCoIP is used for control, which simply looks to be SSL traffic just on a custom port, which is probably why Palo Alto firewalls sees it as SSL.   I'm not a fan of having turn off layer 7 application inspection for these particular servers and ports, but this seemed to be the only option.  If anyone else has done this in a more simplified manner, I would love to hear about it.   -Matt ... View more

Downgraded from 7.0.3 to 6.1.8 and it was relatively painless.  I re-pushed the templates and policies via Panorama and then did the global override for LDAP to add our Active Directory domain (see my article on this) and cleaned up my wildfire rules (changes in 7.x vs 6.x).   So far, so good.  Some of the issues surrounding SSL (such as large file sessions timing out) seem to be resolved now.  There is no support for PFS as stated above (I believe that’s a 7.1.x feature).  I will report again next week on the crashes due to the SSL memory leak which usually take a few days to manifest.   -Matt ... View more

I agree with @john.langford and couldn't have said it better.  We are actually going to downgrade a few active/passive firewalls running 7.0.3 to 6.1.8 just to resolve issues with SSL decryption / dataplane memory leak bugs.  We experienced them in 7.0.1 as well.   I'm hoping 7.1.x gets a more rigorous QA to avoid these types of issues.  Basically in my mind if you want to run SSL Decryption and 7.0.x, it's not if, its just when will your SSL sessions stall or SSL buffers run out before you have to reboot / restart the dataplane.  I'm actually surprised that the software posted hasn't been deffered.   Love the product however I am not sure what happened with 7.0.x.   -Matt ... View more

I can let you know tonight.  With 7.0.4 still being almost a month away, we just can't wait that long so I am basically being forced to downgrade a few firewalls to resolve stability issues.     I've fought long and hard with 7.0.1, 7.0.2, and now 7.0.3 with SSL issues and memory leaks that caused more havoc than I would like to admit too.  As an early adopter I expected some issues, but not like these.  For me 6.0.x and 6.1.x were rock solid where I had very few issues.  Hopefully, with 7.1.x, Palo Alto can restore some of my faith.  I love the product I just didn't expect these types of issues from such a great vendor.   -Matt   P.S.  It would be great if Palo Alto had a better hotfix / special software program for there customers as well.  I can get a special build from Cisco to fix a specific bug that may be plaguing our environment.  I was hoping that Palo Alto would have a similar type program but apparently that is not the case. ... View more